Archive for category Password Security
Password Cracking Arrives to the Cloud
Posted by Mourad Ben Lakhoua in News, Password Security on November 4, 2009
David Campbell a security consultant made a study regarding password safety. the research has been based on the cost evaluation of cracking password with a paid service by Amazon EC2 web service.
The security expert found that for cracking 12 character password that is based on lowercase letters “a” and “z”, hackers would need to pay about 1,5 million dollars. While for 11 character the password costs 60 thousands dollars, and for 10 he can get the password for just 2300 dollars.
Mixing the password with numbers and letters will enhance the protection measures but not as needed. For example the coast to crack 10 combined characters alphanumeric is less than 60 thousand dollars while 11 characters hacker should spend 2.1 million. Adding special characters (!@#$%) will make the price jump for more than 106 thousands for 8 character.
Cloud Computing has significantly reduced the coasts for purchasing and maintaining expensive equipment but its time to invest a part of the IT budget on solid encryption solution like two factor authentication or password managing solution, to eliminate different threats for password guessing and man in the middle attack.
make sure you subscribe to my RSS feed!
Computer’s could get owned by a USB device
Posted by Mourad Ben Lakhoua in Operating System, Password Security, Pentesting on September 21, 2009
USB Switchblade is a tool that can help you to be a king on the enemies’ land. Hack5 USB Switchblade is the second name for this tool but this does not change anything.
The project consists of several software packages that do a great job for password grabbing and pentesting:
Dump SAM is made for dumping the windows Security Account Manager.
IE/Firefox Password Grabber makes a good job for grabbing browser passwords.
VNC-Service is a hidden installer that helps to add users and monitor the network activity on the victim machine.
On the official sites there are several techniques for using this tool:
1. Max Damage Technique just Plug your U3 Drive in any computer with XP/2000/2003 (Requires Administrator account) and Wait about 20-45 seconds Eject U3 Drive, Go to “Run” in the start menu, Type in “X:\Documents\logfiles”(X = Flash Drive Letter) Press enter, Open the text file with the computer name you got into and you will find what you are looking for.
2. Amish Technique here you start by Downloading the Amish Payload 1.0, Extract the payload to the root of your flash drive, Plug your flash drive in to any computer, Go to “My Computer” double-click (autorun) the USB Drive, Select the “Open Files On Folder” option when inserted into a target computer, Wait about 20-45 seconds, Eject the flash drive, Go to “Run” in the start menu. Type in “X:\Dump”(X = Flash Drive Letter), Press enter , Open the text file with the computer name you got into and that’s it.
3. Gandalf’s technique: the advantage of this technique that you can use it on a USB drive, iPod, local computer, it doesn’t matter you just need to run start.vbs and then you can find the passwords and logs at $backup/%computername%.7z.
This brings a very important issue in the corporate security, disabling the usb ports is vital for the Information system but companies also need to pay attention on educating users about the potential security risks posed by USB flash drives. On the other hand it can be sometimes very useful 
.
make sure you subscribe to my RSS feed!
Password Auditing Tools
Posted by Mourad Ben Lakhoua in Password Security, Pentesting, Tools on August 15, 2009
VPN (Virtual private network) is often used for securing communication over the public network, many security specialists advice to use it in the public Wi-Fi to encrypt all traffic and make it impossible for outsider to sniff information or to provide a remote access to an offsite user, but after implementing the VPN connection there is a testing phase for user’s authentication.
Now the question is who said that cracking password for VPN account impossible?
THC group has proved that this is reachable by using THC PPTP bruter. This software is a brute force for PPTP protocol (1723/TCP), this tool works only if the authentication servers are using Microsoft windows Chap v2 and can be used for Windows and Cisco gateways.
The good point in bruter that you can attempt up to 300-400 passwords depends on packets delivery speed. So the operation time can depends on how many bytes long is your password (8 or less is very risky) and the network speed, by hours we can try 14 million password per hour (but this can takes less time if you know the password policy used by the organization). The only disadvantage of pptp-bruter is that we need some third-party libraries to compile the program.
Microsoft SQL servers are also using authentication and after implementing the data base infrastructure, checking user accounts security is a must. Piggy 1.0.1 is a good tool for brut forcing and auditing passwords on Microsoft SQL server. The good point on Piggy that you can check multiple servers at the same time , after NMAP scans for the available services on the network it provides IP addresses of the servers with 1433 (TCP) port and piggy automatically starts to audit the user servers password with a very big possibility to find those accounts by using dictionary password attack.
Finally here is some online useful links for cracking hashes:
http://passcracking.com/
http://www.hashchecker.com/index.php
http://www.milw0rm.com/
http://www.gdataonline.com/
http://www.md5hood.com/
and here brute force on Python and Perl
make sure you subscribe to my RSS feed!
Vulnurability makes eBay Developers Program accounts at Risk
Posted by Mourad Ben Lakhoua in Internet, News, Password Security, Vulnerabilities & attacks, Web Security on August 13, 2009
eBay security specialists asked developer program members to change their passwords. This is due to a new vulnerability discovered that can allow an attacker to intercept important accounts details.
Kumar Kandaswamy eBay Developers program manager has reported on the guidance published that the company has found a way in which an outsider can access users account information at eBay Developers program, so as a preventive measures it is highly recommended to change all user passwords.
The vulnerability does not allow attackers to grab financial information such as credit card or bank account information or Social Security numbers.
But in 2007 a hacker called Vladuz has managed to bypass all the protection measures and to obtain eBay unauthorized accesses which are intended to be just for employees as a result the hacker was arrested in Romania.
eBay developers program helps users to work with its API and develop online application for web resources. Now when you click join and you want to select a new password there is a strict safety standards for creating password “ Your password must be 8 characters or longer, and contain at least 1 upper case letter (A-Z), 1 lower case letter (a-z), 1 number (0-9), and 1 special character (!@#$%*+-_.?). For example, Cool_devel0per.” That’s good for user’s security .
make sure you subscribe to my RSS feed!
Brute Force & password recovery tools
Posted by Mourad Ben Lakhoua in Password Security, Tools on July 29, 2009
There are an immense number of tools for Brute force and password recovery that have been created to help security specialist in pentesting and evaluate application and system password level security.
Let’s start with Brutus AET2, from 2000 there were no update for this tool. But this tool appears as one of the fastest and the most modern tool for internet protocols brute forcing. If you need to test passwords for HTTP (website that uses authentication with Login and password) like forums, emails account, file and telnet servers Brutus are the good decision.
For working with this tool you just add the target IP address and service port, select the protocol and number of threads desired (Max 60) and timeout if you are also looking to hide yourself during the operation you can use Socks or proxy.
This tool uses the dictionary attack or by defining a word list file. If you will use the word list you just can add some words that you doubt the administrator can use so it is a universal tool for HTTP, FTP, POP3 and Telnet.
L0phtcrack this is used for auditing windows system password you can find more about their latest release LC6. L0phtcrack is not free anymore while you can replace it with Pwdump in which you can get the same result.
THC-Hydra is the ideal tool for cracking authentication this tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. This all plus that it supports more than 30 protocol among them TELNET, FTP, HTTP-GET, HTTP-HEAD, HTTPS-GET, HTTP-HEAD, HTTP-PROXY, VNC, POP3, IMAP,NNTP, ICQ, SAP/R3, Cisco auth, Cisco enable, SMTP-AUTH, SSH2, SNMP, Cisco AAA.
You can find this tool in the Backtrack Live CD.
Now a day many application uses some restriction for the login attempts, so after several attempts failure your IP will be banned, TSGrinder is the first production Terminal Server brute force tool the most interesting in TSGrinder that you can specify how many times to try a username/password combination within a particular connection and if you are using a proxy that will change your IP each connection after sometime you can pass the authentication phase.
It is important to note that all programs are used just for educational purposes.
make sure you subscribe to my RSS feed!
L0phtcrack 6: the old guard is back!
Posted by Mourad Ben Lakhoua in Best Practices, Password Security, Pentesting on June 1, 2009
After more than three years since Symantec stopped the support and development of L0phtcrack the tool that provided a titanic opportunity for passwords auditing and recovery.
Here comes yesterday the same team with the new version L0phtcrack 6.
As the project rights being reacquired by the original authors from Symantec it was possible for them to continue developing this utility. In the last five years many things have been changed in the operating system security so they improved some features like the Support for x64 processors and the latest releases from Microsoft (Vista, XP and windows 7),Ubuntu and others.
I used the LC4 and LC5 and they worked perfectly to recover lost password that are less than 14 characters so update your corporate password policy and make sure that you meet password security best practices.
subscribe to my RSS feed!
Hackers 'can attack through staff password'
Posted by Mourad Ben Lakhoua in Password Security on May 3, 2009
Companies are concerned that their employees are jeopardising their network security by not being careful about their passwords.
That’s according to Graham Cluley, senior technology consultant at Sophos, who observed that many people use the same password for all sites they visit.
This could result in an increased risk of phishing and viruses being spread, he added.
‘Many corporations are worried about hackers gaining access to their employees password, and many people base their password on the name of their pet, maybe the name of their girlfriend or wife, maybe their favourite football team – the kind of personal information that can be put on these sites,’ Mr Cluley noted.
‘If they’re using the same password for everything, chances are they are also using that password inside their corporation.’
The comments follow a recent survey by Sophos, which found that 63 per cent of systems administrators in organisations are concerned about workers putting too much information on social networking websites.
[Source: British Computer Society]
make sure you subscribe to my RSS feed!
-
You are currently browsing the archives for the Password Security category.
SUBSCRIBE
